[Cerowrt-devel] slowly moving to deploy 3.3.8-6

[Cerowrt-devel] slowly moving to deploy 3.3.8-6

[Michael Richardson]

[-- Attachment #1: Type: text/plain, Size: 3140 bytes --]


After our brief G+ Hangout, I hooked a 100Mb/s switch between my 3800
running CeroWRT and my 24-port Cisco 203 "SOHO" switch.
Then I got layer-2 LINK, and low and behold things worked.

My network currently looks like this in ASCII art:

      |
      R-X
     / \
    |   \
    |    \
 trusted  service
    |     |                       wife
 me +     |-wrt54gl<~~wireless~~>--+---+-
    |     |                           wii
 .. +     +-mail
          |
          +-www

(X- dead, no longer used)
(R- NetBSD 5.0 machine, PII-400. upgraded to fanless low power PIII-600,
    which died, so back to PII-400)
wrt54gl is running kamizake, is in living room.



      |
      R-
     / \
  (1|   \2)
    |    \
 trusted  service
    |     |                       wife
 me +     |-wrt54gl<~~wireless~~>--+---+-
    |     |                           wii
    +     +-mail
    |-38--|
          +-www


The Netgear 3800 is inserted between trusted and service right now.
So it's upstream is my trusted network, and downstream is my service
network, and current wireless.

From some emails and IRC, I understood that I would not be able to
split the LAN ports on the 3800 into seperate LANs.  Maybe not true.
I am currently using VLAN tagging, which works.

So, my switch has VLAN 470 as service already, and this is seen by
the 3800 as network "service" (device se00.470), and I can get v4 and v6
traffic to it.

The ge00 port of the 3800 is plugged into my trusted VLAN (which is VLAN
1).  I can now ssh into the "WAN" side of the CeroWRT.

I set up the cisco switch so that the untagged packets on the se00
interface were placed into vlan 3800, which I exposed to my desktop as
tagged vlan 3800, so my desktop could be behind as well as on the
internet.

(Oh, I have public IPv4s everywhere, btw. /25 at home)

My plan is to sever the link (2) above, and remove the interface on R
for "service" and move that IP to the 3800.  Once I'm happy with that,
I'll promote the 3800 to replace R.

My upstream is bridged DSL ("HSA"), so it looks like ethernet and has
a native IPv4 (/30) and native IPv6 (/64) on it.  No DHCPv6PD on that
link, alas.

Depending upon the wireless strengh I see from the 3800 I may obsolete
the wrt54gl, or not.  (It's v4 and v6 *routed*, not bridged).

This email isn't so much a query, as a point of documentation, and 
partial success story.

(Oh, wife's laptop often has flaky wifi, wrt54gl is bg only.
I am blaming Ubuntu oneiric kernel, since it worked great on Hardy.
She spends most days on wired on "trusted" network. Wife laptop is son's
youtube toy.  I will definitely see if I can move the laptop to 802.11a,
where the 3800 will get a chance to AQM/codel it)

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 

[-- Attachment #2: Type: application/pgp-signature, Size: 307 bytes --]

Re: [Cerowrt-devel] slowly moving to deploy 3.3.8-6

[Dave Taht]

Comments:

1) we have a fq_codel enabled build for ubuntu 12.4 contributed by
kamal mostafa on:

https://launchpad.net/~kamalmostafa/+archive/bufferbloat

Haven't been successful at building kernels for prior versions. As for
wireless, YMMV.

2) There are multiple things about vlan behavior in cerowrt and with
AQMs that you could explore. I'm not really sure if the default
cerowrt ifconfig script is going to work right on multiple vlans. (see
/etc/hotplug.d/iface/00-debloat) for one thing.

3) if you enable the vlan on the switch, each port can indeed be a
different network.

4) My intent with the se00 and ge00 naming scheme
was to come up with a clean way to write difficult firewall rules,
using a "s+" or "g+" pattern match, rather than having to write
O(network interface) rules.

http://www.bufferbloat.net/projects/cerowrt/wiki/Device_naming_scheme

This concept doesn't play well with the conventional vlan se00.XXX
naming scheme but I do note that names can be changed on creation to
match some sort of guest/secure split while preserving the capability
for + semantics. That said, the default openwrt firewall (as cerowall
is unfinished) doesn't use +, uses .XXX, and YMMV.

5) it sounds like you already did this... but the ge00 port has
mss-clamping and nat turned on in /etc/config/firewall, you want those
off - and if you want multicast dns to work across that interface, you
need to allow ge00 to also broadcast mdns,
so that's a line removed from /etc/avaha/*

(do not allow more than than two of these to exist)

Delighted you are making progress with a real world and
wife-compatible installation.

Are you using qos-scripts or the simple_qos script yet?

On Thu, Jun 21, 2012 at 4:43 PM, Michael Richardson <mcr@sandelman.ca> wrote:
>
> After our brief G+ Hangout, I hooked a 100Mb/s switch between my 3800
> running CeroWRT and my 24-port Cisco 203 "SOHO" switch.
> Then I got layer-2 LINK, and low and behold things worked.
>
> My network currently looks like this in ASCII art:
>
>      |
>      R-X
>     / \
>    |   \
>    |    \
>  trusted  service
>    |     |                       wife
>  me +     |-wrt54gl<~~wireless~~>--+---+-
>    |     |                           wii
>  .. +     +-mail
>          |
>          +-www
>
> (X- dead, no longer used)
> (R- NetBSD 5.0 machine, PII-400. upgraded to fanless low power PIII-600,
>    which died, so back to PII-400)
> wrt54gl is running kamizake, is in living room.
>
>
>
>      |
>      R-
>     / \
>  (1|   \2)
>    |    \
>  trusted  service
>    |     |                       wife
>  me +     |-wrt54gl<~~wireless~~>--+---+-
>    |     |                           wii
>    +     +-mail
>    |-38--|
>          +-www
>
>
> The Netgear 3800 is inserted between trusted and service right now.
> So it's upstream is my trusted network, and downstream is my service
> network, and current wireless.
>
> From some emails and IRC, I understood that I would not be able to
> split the LAN ports on the 3800 into seperate LANs.  Maybe not true.
> I am currently using VLAN tagging, which works.
>
> So, my switch has VLAN 470 as service already, and this is seen by
> the 3800 as network "service" (device se00.470), and I can get v4 and v6
> traffic to it.
>
> The ge00 port of the 3800 is plugged into my trusted VLAN (which is VLAN
> 1).  I can now ssh into the "WAN" side of the CeroWRT.
>
> I set up the cisco switch so that the untagged packets on the se00
> interface were placed into vlan 3800, which I exposed to my desktop as
> tagged vlan 3800, so my desktop could be behind as well as on the
> internet.
>
> (Oh, I have public IPv4s everywhere, btw. /25 at home)
>
> My plan is to sever the link (2) above, and remove the interface on R
> for "service" and move that IP to the 3800.  Once I'm happy with that,
> I'll promote the 3800 to replace R.
>
> My upstream is bridged DSL ("HSA"), so it looks like ethernet and has
> a native IPv4 (/30) and native IPv6 (/64) on it.  No DHCPv6PD on that
> link, alas.
>
> Depending upon the wireless strengh I see from the 3800 I may obsolete
> the wrt54gl, or not.  (It's v4 and v6 *routed*, not bridged).
>
> This email isn't so much a query, as a point of documentation, and
> partial success story.
>
> (Oh, wife's laptop often has flaky wifi, wrt54gl is bg only.
> I am blaming Ubuntu oneiric kernel, since it worked great on Hardy.
> She spends most days on wired on "trusted" network. Wife laptop is son's
> youtube toy.  I will definitely see if I can move the laptop to 802.11a,
> where the 3800 will get a chance to AQM/codel it)
>
> --
> ]       He who is tired of Weird Al is tired of life!           |  firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
>   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
>                       then sign the petition.
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



-- 
Dave Täht
http://www.bufferbloat.net/projects/cerowrt/wiki - "3.3.8-6 is out
with fq_codel!"

Re: [Cerowrt-devel] slowly moving to deploy 3.3.8-6

[Michael Richardson]

[-- Attachment #1: Type: text/plain, Size: 3001 bytes --]


>>>>> "Dave" == Dave Taht <dave.taht@gmail.com> writes:
    Dave> Comments:

    Dave> 1) we have a fq_codel enabled build for ubuntu 12.4
    Dave> contributed by kamal mostafa on:

    Dave> https://launchpad.net/~kamalmostafa/+archive/bufferbloat

It took me a few reads to get why this mattered... this is for my wife's
laptop.

    Dave> 2) There are multiple things about vlan behavior in cerowrt
    Dave> and with AQMs that you could explore. I'm not really sure if
    Dave> the default cerowrt ifconfig script is going to work right on
    Dave> multiple vlans. (see /etc/hotplug.d/iface/00-debloat) for one
    Dave> thing.

okay, thanks.

    Dave> 3) if you enable the vlan on the switch, each port can indeed
    Dave> be a different network.

Good.  I'm not entirely sure that I care actually, given that I can
create vlans... assuming I can get Gigabit to somehow work directly with
my Cisco switch.

    Dave> 4) My intent with the se00 and ge00 naming scheme was to come
    Dave> up with a clean way to write difficult firewall rules, using a
    Dave> "s+" or "g+" pattern match, rather than having to write
    Dave> O(network interface) rules.

I agree with it.

    Dave> This concept doesn't play well with the conventional vlan
    Dave> se00.XXX naming scheme but I do note that names can be changed
    Dave> on creation to match some sort of guest/secure split while
    Dave> preserving the capability for + semantics. That said, the
    Dave> default openwrt firewall (as cerowall is unfinished) doesn't
    Dave> use +, uses .XXX, and YMMV.

well, my firewall rules/policy are somewhat more complex than just
lan/guest.   I will have:
        trusted (very few incomng ports open, only from known places)
        service (many incoming ports open, few outgoing open)
        wireless ("sw", gets access to printer)
        guest    ("gw", outgoing only, probably NATed)

    Dave> Delighted you are making progress with a real world and
    Dave> wife-compatible installation.

    Dave> Are you using qos-scripts or the simple_qos script yet?

Not yet.

My laptop now spends most days at home in it's docking station, as
"desktop", and I have transitioned to a desktop computer at CREDIL, but
I ssh to home to run xemacs+mhe... and *I* sure notice bufferbloat.
(I also run sshfs in both directions at the same time, plus have a 7
year old that would spend all day on youtube if we let him...)
This is despite my ISP having put some QoS at their end....  I have some
very clear smokeping pictures. I hope that codel at my end will help. 

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 

[-- Attachment #2: Type: application/pgp-signature, Size: 307 bytes --]